Shuangpeng Bai

Ph.D. Candidate
College of Information Sciences and Technology
The Pennsylvania State University

E-mail: sjb7183 at psu dot edu

Short Bio: I am a Ph.D. candidate at Penn State University, advised by Prof. Hong Hu. Before joining Penn State University, I obtained my Bachelor's degree from Beijing Jiaotong University and Master's degree from University of Chinese Academy of Sciences. My research interests include Operating System Security, especially vulnerability detection and exploitation.


Publications

  1. CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel
    Shuangpeng Bai, Zhechang Zhang, Hong Hu
    In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS 2024).
  2. Kernel use-after-free (UAF) bugs are severe threats to system security due to their complex root causes and high exploitability. We find that 36.1% of recent kernel UAF bugs are caused by improper uses of reference counters, dubbed refcount-related UAF bugs. Current kernel fuzzing tools based on code coverage can detect common memory errors, but none of them is aware of the root cause. As a consequence, they only trigger refcount-related UAF bugs passively and coincidentally, and may miss many deep hidden vulnerabilities.
    To actively trigger refcount-related UAF bugs, in this paper, we propose CountDown, a novel refcount-guided kernel fuzzer. CountDown collects diverse refcount operations from kernel executions and reshapes syscall relations based on commonly accessed refcounts. When generating user-space programs, CountDown prefers to combine syscalls that ever access the same refcounts, aiming to trigger complex refcount behaviors. It also injects refcountdecreasing and refcount-accessing syscalls to intentionally free the refcounted object and trigger invalid accesses through dangling pointers. We test CountDown on mainstream Linux kernels and compare it with popular fuzzers. On average, our tool can detect 66.1% more UAF bugs and 32.9% more KASAN reports than stateof-the-art tools. CountDown has found nine new kernel memory bugs, where two are fixed and one is confirmed.


Experience